diff options
author | Olivier Paroz <github@oparoz.com> | 2015-09-28 23:51:02 +0300 |
---|---|---|
committer | Olivier Paroz <github@oparoz.com> | 2015-09-28 23:51:02 +0300 |
commit | d36a8d5ce9248eb3e6ff2d0712ca1accd0da6ef9 (patch) | |
tree | 783244d363daa92219b2e248636599b3924eddc8 | |
parent | e3024b83105993ad85b8474c5dc39ff2fc880cb5 (diff) |
Sanitize SVG previews in the slideshow
[ci skip]
-rw-r--r-- | appinfo/app.php | 1 | ||||
-rw-r--r-- | js/galleryfileaction.js | 4 | ||||
-rw-r--r-- | js/slideshow.js | 26 | ||||
-rw-r--r-- | js/thumbnail.js | 5 |
4 files changed, 15 insertions, 21 deletions
diff --git a/appinfo/app.php b/appinfo/app.php index a749c3ee..7fece59d 100644 --- a/appinfo/app.php +++ b/appinfo/app.php @@ -71,6 +71,7 @@ if (isset($request->server['REQUEST_URI'])) { */ Util::addScript($appName, 'vendor/bigshot/bigshot-compressed'); Util::addScript($appName, 'vendor/image-scale/image-scale.min'); + Util::addScript($appName, 'vendor/dompurify/src/purify'); Util::addScript($appName, 'galleryfileaction'); Util::addScript($appName, 'slideshow'); Util::addScript($appName, 'slideshowcontrols'); diff --git a/js/galleryfileaction.js b/js/galleryfileaction.js index e0a74645..968c9a81 100644 --- a/js/galleryfileaction.js +++ b/js/galleryfileaction.js @@ -37,6 +37,10 @@ register: function (mediaTypes) { //console.log("enabledPreviewProviders: ", mediaTypes); if (mediaTypes) { + // Remove SVG if the user is using an insecure browser (IE8-9) + if (window.galleryFileAction.features.indexOf('native_svg') > -1 && !window.btoa) { + mediaTypes.splice(mediaTypes.indexOf('image/svg+xml'), 1); + } galleryFileAction.mediaTypes = mediaTypes; } var i, mediaTypesLength = mediaTypes.length; diff --git a/js/slideshow.js b/js/slideshow.js index 97a86caf..c6f791fe 100644 --- a/js/slideshow.js +++ b/js/slideshow.js @@ -1,3 +1,4 @@ +/* global DOMPurify */ (function ($, OC, OCA, t) { "use strict"; /** @@ -172,9 +173,7 @@ this.imageCache[url].reject(url); } }.bind(this); - if (mimeType === 'image/svg+xml' && - !document.implementation.hasFeature("http://www.w3.org/TR/SVG11/feature#Image", - "1.1")) { + if (mimeType === 'image/svg+xml') { image.src = this._getSVG(url); } else { image.src = url; @@ -349,26 +348,17 @@ */ _getSVG: function (source) { var svgPreview = null; - if (window.btoa) { + // DOMPurify only works with IE10+ and we load SVGs in the IMG tag + if (window.btoa && + document.implementation.hasFeature("http://www.w3.org/TR/SVG11/feature#Image", + "1.1")) { var xmlHttp = new XMLHttpRequest(); xmlHttp.open("GET", source, false); xmlHttp.send(null); if (xmlHttp.status === 200) { - if (xmlHttp.responseXML) { - // Has to be base64 encoded for Firefox - svgPreview = - "data:image/svg+xml;base64," + window.btoa(xmlHttp.responseText); - } else { - svgPreview = source; - } + var pureSvg = DOMPurify.sanitize(xmlHttp.responseText); + svgPreview = "data:image/svg+xml;base64," + window.btoa(pureSvg); } - } else { - // This is exclusively for IE8 - var message = t('gallery', - "<strong>Error!</strong> Your browser can't display SVG files.<br>" + - "Please use a more modern alternative"); - this.showErrorNotification(message); - svgPreview = '/core/img/filetypes/image.png'; } return svgPreview; diff --git a/js/thumbnail.js b/js/thumbnail.js index ed13e1e8..0353d6e5 100644 --- a/js/thumbnail.js +++ b/js/thumbnail.js @@ -142,8 +142,7 @@ function Thumbnail (fileId, square) { imageData = window.btoa(pureSvg); } thumb.image.src = - 'data:' + preview.mimetype + ';base64,' + - imageData; + 'data:' + preview.mimetype + ';base64,' + imageData; } else { thumb.valid = false; thumb.image.src = Thumbnails._getMimeIcon(preview.mimetype); @@ -159,7 +158,7 @@ function Thumbnail (fileId, square) { * Returns the link to the media type icon * * Modern browsers get an SVG, older ones a PNG - * + * * @param mimeType * * @returns {*|string} |